Sync from SUSE:ALP:Source:Standard:1.0 saltbundlepy-cryptography revision 547130ad7c2ae22c587b2ad03b53e54a

.gitattributes

@@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text

CVE-2023-23931-dont-allow-update-into.patch

@@ -0,0 +1,32 @@
+Index: cryptography-3.3.2/src/cryptography/hazmat/backends/openssl/ciphers.py
+===================================================================
+--- cryptography-3.3.2.orig/src/cryptography/hazmat/backends/openssl/ciphers.py
++++ cryptography-3.3.2/src/cryptography/hazmat/backends/openssl/ciphers.py
+@@ -135,7 +135,7 @@ class _CipherContext(object):
+         data_processed = 0
+         total_out = 0
+         outlen = self._backend._ffi.new("int *")
+-        baseoutbuf = self._backend._ffi.from_buffer(buf)
++        baseoutbuf = self._backend._ffi.from_buffer(buf, require_writable=True)
+         baseinbuf = self._backend._ffi.from_buffer(data)
+ 
+         while data_processed != total_data_len:
+Index: cryptography-3.3.2/tests/hazmat/primitives/test_ciphers.py
+===================================================================
+--- cryptography-3.3.2.orig/tests/hazmat/primitives/test_ciphers.py
++++ cryptography-3.3.2/tests/hazmat/primitives/test_ciphers.py
+@@ -235,6 +235,14 @@ class TestCipherUpdateInto(object):
+         assert res == len(pt)
+         assert bytes(buf)[:res] == ct
+ 
++    def test_update_into_immutable(self, backend):
++        key = b"\x00" * 16
++        c = ciphers.Cipher(AES(key), modes.ECB(), backend)
++        encryptor = c.encryptor()
++        buf = b"\x00" * 32
++        with pytest.raises((TypeError, BufferError)):
++            encryptor.update_into(b"testing", buf)
++
+     @pytest.mark.supported(
+         only_if=lambda backend: backend.cipher_supported(
+             AES(b"\x00" * 16), modes.GCM(b"0" * 12)

CVE-2023-49083.patch

@@ -0,0 +1,45 @@
+From 66cb448876b1e95b637461d13560b970bae09e08 Mon Sep 17 00:00:00 2001
+From: Alex Gaynor <alex.gaynor@gmail.com>
+Date: Wed, 22 Nov 2023 16:49:56 -0500
+Subject: [PATCH] Fixed crash when loading a PKCS#7 bundle with no certificates
+
+---
+ src/cryptography/hazmat/backends/openssl/backend.py | 5 ++++-
+ tests/hazmat/primitives/test_pkcs7.py               | 6 ++++++
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+
+Index: cryptography-3.3.2/src/cryptography/hazmat/backends/openssl/backend.py
+===================================================================
+--- cryptography-3.3.2.orig/src/cryptography/hazmat/backends/openssl/backend.py
++++ cryptography-3.3.2/src/cryptography/hazmat/backends/openssl/backend.py
+@@ -2664,9 +2664,12 @@ class Backend(object):
+                 _Reasons.UNSUPPORTED_SERIALIZATION,
+             )
+ 
++        certs = []
++        if p7.d.sign == self._ffi.NULL:
++            return certs
++
+         sk_x509 = p7.d.sign.cert
+         num = self._lib.sk_X509_num(sk_x509)
+-        certs = []
+         for i in range(num):
+             x509 = self._lib.sk_X509_value(sk_x509, i)
+             self.openssl_assert(x509 != self._ffi.NULL)
+Index: cryptography-3.3.2/tests/hazmat/primitives/test_pkcs7.py
+===================================================================
+--- cryptography-3.3.2.orig/tests/hazmat/primitives/test_pkcs7.py
++++ cryptography-3.3.2/tests/hazmat/primitives/test_pkcs7.py
+@@ -80,6 +80,12 @@ class TestPKCS7Loading(object):
+                 mode="rb",
+             )
+ 
++    def test_load_pkcs7_empty_certificates(self):
++        der = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02"
++
++        certificates = pkcs7.load_der_pkcs7_certificates(der)
++        assert certificates == []
++
+ 
+ # We have no public verification API and won't be adding one until we get
+ # some requirements from users so this function exists to give us basic

cryptography-3.3.2.tar.gz.asc

@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCAAdFiEEBf2foWz3VzUNkaVgI1rl8Sn57ZgFAmAgGngACgkQI1rl8Sn5
+7Zjfdwf8CO3jtW3dYS0sXDMQ1n300gUWW6y90xPj5elUfpG6YDREa+PDioo7CSzU
+Xb+ldbBqJPaD7aF5MJ3cEp67WcQ6qW5MqkcrRcTlZkA3EqQqIIFf66jYGf63u5kC
+QXTuU0hVx/JhqXYU8/LOja9lQ0SZirACYVR7pa3wFnJKaQeG0WLuT2ky9+UDW8nI
+zxuAz/ysLgmlfLE60rUR53nVIu05m2AOQYWNjaWAagwYa72Hqztksot4wNFhAiUu
+oe7yrbl7iEGkwzCAYWCl6HtSWIoXiQxUXOejzJVhyyOiubWFdDpWrflWUCZJdx2S
+Dze+PGSBjOUEFW/KFU+mGK3evyImdQ==
+=RmGY
+-----END PGP SIGNATURE-----

definitions-ERR_GET.patch

@@ -0,0 +1,18 @@
+--- a/src/_cffi_src/openssl/err.py
++++ b/src/_cffi_src/openssl/err.py
+@@ -38,12 +38,10 @@
+ unsigned long ERR_peek_error(void);
+ void ERR_clear_error(void);
+ void ERR_put_error(int, int, int, const char *, int);
+-
+-int ERR_GET_LIB(unsigned long);
+-int ERR_GET_FUNC(unsigned long);
+-int ERR_GET_REASON(unsigned long);
+-
+ """
+ 
+ CUSTOMIZATIONS = """
++# define ERR_GET_LIB(l)          (int)(((l) >> 24L) & 0x0FFL)
++# define ERR_GET_FUNC(l)         (int)(((l) >> 12L) & 0xFFFL)
++# define ERR_GET_REASON(l)       (int)( (l)         & 0xFFFL)
+ """

disable-uneven-sizes-tests.patch

@@ -0,0 +1,14 @@
+Index: cryptography-3.0/tests/hazmat/primitives/test_rsa.py
+===================================================================
+--- cryptography-3.0.orig/tests/hazmat/primitives/test_rsa.py
++++ cryptography-3.0/tests/hazmat/primitives/test_rsa.py
+@@ -174,7 +174,8 @@ class TestRSA(object):
+         ("public_exponent", "key_size"),
+         itertools.product(
+             (3, 65537),
+-            (1024, 1025, 1026, 1027, 1028, 1029, 1030, 1031, 1536, 2048),
++            #(1024, 1025, 1026, 1027, 1028, 1029, 1030, 1031, 1536, 2048),
++            (1024, 1026, 1028, 1030, 1536, 2048),
+         ),
+     )
+     def test_generate_rsa_keys(self, backend, public_exponent, key_size):

fips-mode.patch

@@ -0,0 +1,17 @@
+--- a/src/_cffi_src/openssl/fips.py
++++ b/src/_cffi_src/openssl/fips.py
+@@ -18,6 +18,14 @@
+ """
+ 
+ CUSTOMIZATIONS = """
++int FIPS_mode_set(int) {
++    return 0;
++}
++
++int FIPS_mode(void) {
++    return 0;
++}
++
+ #if CRYPTOGRAPHY_IS_LIBRESSL
+ static const long Cryptography_HAS_FIPS = 0;
+ int (*FIPS_mode_set)(int) = NULL;

fix-build-with-old-ssl.patch

@@ -0,0 +1,387 @@
+--- a/src/_cffi_src/openssl/bio.py
++++ b/src/_cffi_src/openssl/bio.py
+@@ -41,4 +41,7 @@
+ """
+ 
+ CUSTOMIZATIONS = """
++#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110
++int (*BIO_up_ref)(BIO *) = NULL;
++#endif
+ """
+--- a/src/_cffi_src/openssl/cryptography.py
++++ b/src/_cffi_src/openssl/cryptography.py
+@@ -36,6 +36,8 @@
+ #define CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER \
+     (OPENSSL_VERSION_NUMBER >= 0x1010006f && !CRYPTOGRAPHY_IS_LIBRESSL)
+ 
++#define CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 \
++    (OPENSSL_VERSION_NUMBER < 0x10100000 || CRYPTOGRAPHY_IS_LIBRESSL)
+ #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_110J \
+     (OPENSSL_VERSION_NUMBER < 0x101000af || CRYPTOGRAPHY_IS_LIBRESSL)
+ #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 \
+@@ -44,6 +46,10 @@
+     (OPENSSL_VERSION_NUMBER < 0x10101020 || CRYPTOGRAPHY_IS_LIBRESSL)
+ #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_111D \
+     (OPENSSL_VERSION_NUMBER < 0x10101040 || CRYPTOGRAPHY_IS_LIBRESSL)
++
++#define CRYPTOGRAPHY_OPENSSL_110_OR_GREATER \
++    (OPENSSL_VERSION_NUMBER >= 0x10100000 && !CRYPTOGRAPHY_IS_LIBRESSL)
++
+ #if (CRYPTOGRAPHY_OPENSSL_LESS_THAN_111D && !CRYPTOGRAPHY_IS_LIBRESSL && \
+     !defined(OPENSSL_NO_ENGINE)) || defined(USE_OSRANDOM_RNG_FOR_TESTING)
+ #define CRYPTOGRAPHY_NEEDS_OSRANDOM_ENGINE 1
+--- a/src/_cffi_src/openssl/crypto.py
++++ b/src/_cffi_src/openssl/crypto.py
+@@ -51,6 +51,10 @@
+ """
+ 
+ CUSTOMIZATIONS = """
++#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110
++void (*OPENSSL_cleanup)(void) = NULL;
++#endif
++
+ /* In 1.1.0 SSLeay has finally been retired. We bidirectionally define the
+    values so you can use either one. This is so we can use the new function
+    names no matter what OpenSSL we're running on, but users on older pyOpenSSL
+--- a/src/_cffi_src/openssl/dh.py
++++ b/src/_cffi_src/openssl/dh.py
+@@ -38,6 +38,15 @@
+ """
+ 
+ CUSTOMIZATIONS = """
++#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110
++/* added in 1.1.0 when the DH struct was opaqued */
++void (*DH_get0_pqg)(const DH *, const BIGNUM **, const BIGNUM **,
++                 const BIGNUM **) = NULL;
++int (*DH_set0_pqg)(DH *, BIGNUM *, BIGNUM *, BIGNUM *) = NULL;
++void (*DH_get0_key)(const DH *, const BIGNUM **, const BIGNUM **) = NULL;
++int (*DH_set0_key)(DH *, BIGNUM *, BIGNUM *) = NULL;
++#endif
++
+ #if CRYPTOGRAPHY_IS_LIBRESSL
+ #ifndef DH_CHECK_Q_NOT_PRIME
+ #define DH_CHECK_Q_NOT_PRIME            0x10
+--- a/src/_cffi_src/openssl/dsa.py
++++ b/src/_cffi_src/openssl/dsa.py
+@@ -34,4 +34,11 @@
+ """
+ 
+ CUSTOMIZATIONS = """
++#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110
++void (*DSA_get0_pqg)(const DSA *, const BIGNUM **, const BIGNUM **,
++                  const BIGNUM **) = NULL;
++int (*DSA_set0_pqg)(DSA *, BIGNUM *, BIGNUM *, BIGNUM *) = NULL;
++void (*DSA_get0_key)(const DSA *, const BIGNUM **, const BIGNUM **);
++int (*DSA_set0_key)(DSA *, BIGNUM *, BIGNUM *) = NULL;
++#endif
+ """
+--- a/src/_cffi_src/openssl/evp.py
++++ b/src/_cffi_src/openssl/evp.py
+@@ -134,6 +134,7 @@
+                    const unsigned char *, size_t);
+ int EVP_DigestVerify(EVP_MD_CTX *, const unsigned char *, size_t,
+                      const unsigned char *, size_t);
++
+ /* Added in 1.1.0 */
+ size_t EVP_PKEY_get1_tls_encodedpoint(EVP_PKEY *, unsigned char **);
+ int EVP_PKEY_set1_tls_encodedpoint(EVP_PKEY *, const unsigned char *,
+@@ -179,12 +180,32 @@
+     return EVP_PKEY_id(key);
+ }
+ EVP_MD_CTX *Cryptography_EVP_MD_CTX_new(void) {
++#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110
++    return EVP_MD_CTX_create();
++#else
+     return EVP_MD_CTX_new();
++#endif
+ }
++
+ void Cryptography_EVP_MD_CTX_free(EVP_MD_CTX *md) {
++#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110
++    EVP_MD_CTX_destroy(md);
++#else
+     EVP_MD_CTX_free(md);
++#endif
+ }
+ 
++#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110
++EVP_MD_CTX *(*EVP_MD_CTX_new)(void) = NULL;
++void (*EVP_MD_CTX_free)(EVP_MD_CTX *) = NULL;
++int (*EVP_PBE_scrypt)(const char *, size_t, const unsigned char *, size_t,
++                   uint64_t, uint64_t, uint64_t, uint64_t, unsigned char *,
++                   size_t) = NULL;
++size_t (*EVP_PKEY_get1_tls_encodedpoint)(EVP_PKEY *, unsigned char **) = NULL;
++int (*EVP_PKEY_set1_tls_encodedpoint)(EVP_PKEY *, const unsigned char *,
++                                   size_t) = NULL;
++#endif
++
+ #if CRYPTOGRAPHY_IS_LIBRESSL || defined(OPENSSL_NO_SCRYPT)
+ static const long Cryptography_HAS_SCRYPT = 0;
+ int (*EVP_PBE_scrypt)(const char *, size_t, const unsigned char *, size_t,
+--- a/src/_cffi_src/openssl/hmac.py
++++ b/src/_cffi_src/openssl/hmac.py
+@@ -23,4 +23,8 @@
+ """
+ 
+ CUSTOMIZATIONS = """
++#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110
++HMAC_CTX *(*HMAC_CTX_new)(void) = NULL;
++void (*HMAC_CTX_free)(HMAC_CTX *ctx) = NULL;
++#endif
+ """
+--- a/src/_cffi_src/openssl/nid.py
++++ b/src/_cffi_src/openssl/nid.py
+@@ -31,12 +31,24 @@
+ """
+ 
+ CUSTOMIZATIONS = """
++#ifndef NID_X25519
++static const long Cryptography_HAS_X25519 = 0;
++static const int NID_X25519 = 0;
++#else
++static const long Cryptography_HAS_X25519 = 1;
++#endif
+ #ifndef NID_ED25519
+ static const long Cryptography_HAS_ED25519 = 0;
+ static const int NID_ED25519 = 0;
+ #else
+ static const long Cryptography_HAS_ED25519 = 1;
+ #endif
++#ifndef NID_X448
++static const long Cryptography_HAS_X448 = 0;
++static const int NID_X448 = 0;
++#else
++static const long Cryptography_HAS_X448 = 1;
++#endif
+ #ifndef NID_ED448
+ static const long Cryptography_HAS_ED448 = 0;
+ static const int NID_ED448 = 0;
+--- a/src/_cffi_src/openssl/ocsp.py
++++ b/src/_cffi_src/openssl/ocsp.py
+@@ -78,7 +78,7 @@
+ 
+ CUSTOMIZATIONS = """
+ #if ( \
+-    !CRYPTOGRAPHY_IS_LIBRESSL && \
++    CRYPTOGRAPHY_OPENSSL_110_OR_GREATER && \
+     CRYPTOGRAPHY_OPENSSL_LESS_THAN_110J \
+     )
+ /* These structs come from ocsp_lcl.h and are needed to de-opaque the struct
+@@ -105,7 +105,7 @@
+ };
+ #endif
+ 
+-#if CRYPTOGRAPHY_IS_LIBRESSL
++#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110
+ /* These functions are all taken from ocsp_cl.c in OpenSSL 1.1.0 */
+ const OCSP_CERTID *OCSP_SINGLERESP_get0_id(const OCSP_SINGLERESP *single)
+ {
+@@ -147,7 +147,7 @@
+ #if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110J
+ const X509_ALGOR *OCSP_resp_get0_tbs_sigalg(const OCSP_BASICRESP *bs)
+ {
+-#if CRYPTOGRAPHY_IS_LIBRESSL
++#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110
+     return bs->signatureAlgorithm;
+ #else
+     return &bs->signatureAlgorithm;
+@@ -156,7 +156,7 @@
+ 
+ const OCSP_RESPDATA *OCSP_resp_get0_respdata(const OCSP_BASICRESP *bs)
+ {
+-#if CRYPTOGRAPHY_IS_LIBRESSL
++#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110
+     return bs->tbsResponseData;
+ #else
+     return &bs->tbsResponseData;
+--- a/src/_cffi_src/openssl/rsa.py
++++ b/src/_cffi_src/openssl/rsa.py
+@@ -58,4 +58,20 @@
+ int (*EVP_PKEY_CTX_set0_rsa_oaep_label)(EVP_PKEY_CTX *, unsigned char *,
+                                         int) = NULL;
+ #endif
++#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110
++int (*RSA_set0_key)(RSA *, BIGNUM *, BIGNUM *, BIGNUM *) = NULL;
++int (*RSA_set0_factors)(RSA *, BIGNUM *, BIGNUM *) = NULL;
++int (*RSA_set0_crt_params)(RSA *, BIGNUM *, BIGNUM *, BIGNUM *) = NULL;
++void (*RSA_get0_key)(const RSA *, const BIGNUM **, const BIGNUM **,
++                  const BIGNUM **) = NULL;
++void (*RSA_get0_factors)(const RSA *, const BIGNUM **, const BIGNUM **) = NULL;
++void (*RSA_get0_crt_params)(const RSA *, const BIGNUM **, const BIGNUM **,
++                         const BIGNUM **) = NULL;
++int (*EVP_PKEY_CTX_set_rsa_padding)(EVP_PKEY_CTX *, int) = NULL;
++int (*EVP_PKEY_CTX_set_rsa_pss_saltlen)(EVP_PKEY_CTX *, int) = NULL;
++int (*EVP_PKEY_CTX_set_rsa_mgf1_md)(EVP_PKEY_CTX *, EVP_MD *) = NULL;
++int (*EVP_PKEY_CTX_set0_rsa_oaep_label)(EVP_PKEY_CTX *, unsigned char *, int) = NULL;
++
++//int (*EVP_PKEY_CTX_set_rsa_oaep_md)(EVP_PKEY_CTX *, EVP_MD *) = NULL;
++#endif
+ """
+--- a/src/_cffi_src/openssl/ssl.py
++++ b/src/_cffi_src/openssl/ssl.py
+@@ -510,7 +510,7 @@
+ // users have upgraded. PersistentlyDeprecated2020
+ static const long Cryptography_HAS_TLSEXT_HOSTNAME = 1;
+ 
+-#if CRYPTOGRAPHY_IS_LIBRESSL
++#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110
+ static const long Cryptography_HAS_VERIFIED_CHAIN = 0;
+ Cryptography_STACK_OF_X509 *(*SSL_get0_verified_chain)(const SSL *) = NULL;
+ #else
+@@ -563,7 +563,7 @@
+ 
+ /* in OpenSSL 1.1.0 the SSL_ST values were renamed to TLS_ST and several were
+    removed */
+-#if CRYPTOGRAPHY_IS_LIBRESSL
++#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110
+ static const long Cryptography_HAS_SSL_ST = 1;
+ #else
+ static const long Cryptography_HAS_SSL_ST = 0;
+@@ -572,7 +572,7 @@
+ static const long SSL_ST_INIT = 0;
+ static const long SSL_ST_RENEGOTIATE = 0;
+ #endif
+-#if !CRYPTOGRAPHY_IS_LIBRESSL
++#if CRYPTOGRAPHY_OPENSSL_110_OR_GREATER
+ static const long Cryptography_HAS_TLS_ST = 1;
+ #else
+ static const long Cryptography_HAS_TLS_ST = 0;
+@@ -702,4 +702,28 @@
+ #else
+ static const long Cryptography_HAS_GET_PROTO_VERSION = 1;
+ #endif
++#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110
++const SSL_METHOD *(*TLS_method)(void) = NULL;
++const SSL_METHOD *(*TLS_server_method)(void) = NULL;
++const SSL_METHOD *(*TLS_client_method)(void) = NULL;
++
++int (*SSL_CIPHER_is_aead)(const SSL_CIPHER *) = NULL;
++int (*SSL_CIPHER_get_cipher_nid)(const SSL_CIPHER *) = NULL;
++int (*SSL_CIPHER_get_digest_nid)(const SSL_CIPHER *) = NULL;
++int (*SSL_CIPHER_get_kx_nid)(const SSL_CIPHER *) = NULL;
++int (*SSL_CIPHER_get_auth_nid)(const SSL_CIPHER *) = NULL;
++
++long (*SSL_CTX_set_min_proto_version)(SSL_CTX *, int) = NULL;
++long (*SSL_CTX_set_max_proto_version)(SSL_CTX *, int) = NULL;
++long (*SSL_set_min_proto_version)(SSL *, int) = NULL;
++long (*SSL_set_max_proto_version)(SSL *, int) = NULL;
++
++int (*SSL_SESSION_has_ticket)(const SSL_SESSION *) = NULL;
++long (*SSL_SESSION_get_ticket_lifetime_hint)(const SSL_SESSION *) = NULL;
++
++size_t (*SSL_SESSION_get_master_key)(const SSL_SESSION *, unsigned char *,
++                                  size_t) = NULL;
++size_t (*SSL_get_client_random)(const SSL *, unsigned char *, size_t) = NULL;
++size_t (*SSL_get_server_random)(const SSL *, unsigned char *, size_t) = NULL;
++#endif
+ """
+--- a/src/_cffi_src/openssl/x509name.py
++++ b/src/_cffi_src/openssl/x509name.py
+@@ -75,4 +75,7 @@
+ """
+ 
+ CUSTOMIZATIONS = """
++#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110
++int (*X509_NAME_ENTRY_set)(X509_NAME_ENTRY *) = NULL;
++#endif
+ """
+--- a/src/_cffi_src/openssl/x509.py
++++ b/src/_cffi_src/openssl/x509.py
+@@ -288,7 +288,7 @@
+ }
+ /* Added in 1.1.0 but we need it in all versions now due to the great
+    opaquing. */
+-#if CRYPTOGRAPHY_IS_LIBRESSL
++#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110
+ int i2d_re_X509_REQ_tbs(X509_REQ *req, unsigned char **pp)
+ {
+     req->req_info->enc.modified = 1;
+@@ -298,5 +298,45 @@
+     crl->crl->enc.modified = 1;
+     return i2d_X509_CRL_INFO(crl->crl, pp);
+ }
++
++int X509_up_ref(X509 *x) {
++   return CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
++}
++
++const X509_ALGOR *X509_get0_tbs_sigalg(const X509 *x)
++{
++    return x->cert_info->signature;
++}
++
++/* from x509/x509_req.c */
++void X509_REQ_get0_signature(const X509_REQ *req, const ASN1_BIT_STRING **psig,
++                             const X509_ALGOR **palg)
++{
++    if (psig != NULL)
++        *psig = req->signature;
++    if (palg != NULL)
++        *palg = req->sig_alg;
++}
++void X509_CRL_get0_signature(const X509_CRL *crl, const ASN1_BIT_STRING **psig,
++                             const X509_ALGOR **palg)
++{
++    if (psig != NULL)
++        *psig = crl->signature;
++    if (palg != NULL)
++        *palg = crl->sig_alg;
++}
++const ASN1_TIME *X509_REVOKED_get0_revocationDate(const X509_REVOKED *x)
++{
++    return x->revocationDate;
++}
++const ASN1_INTEGER *X509_REVOKED_get0_serialNumber(const X509_REVOKED *x)
++{
++    return x->serialNumber;
++}
++
++#define X509_set1_notBefore X509_set_notBefore
++#define X509_set1_notAfter X509_set_notAfter
++#define X509_getm_notAfter X509_get_notAfter
++#define X509_getm_notBefore X509_get_notBefore
+ #endif
+ """
+--- a/src/_cffi_src/openssl/x509_vfy.py
++++ b/src/_cffi_src/openssl/x509_vfy.py
+@@ -234,7 +234,7 @@
+ static const long X509_V_FLAG_SUITEB_128_LOS = 0;
+ #endif
+ 
+-#if CRYPTOGRAPHY_IS_LIBRESSL
++#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 || CRYPTOGRAPHY_IS_LIBRESSL
+ static const long Cryptography_HAS_110_VERIFICATION_PARAMS = 0;
+ #ifndef X509_CHECK_FLAG_NEVER_CHECK_SUBJECT
+ static const long X509_CHECK_FLAG_NEVER_CHECK_SUBJECT = 0;
+@@ -243,7 +243,30 @@
+ static const long Cryptography_HAS_110_VERIFICATION_PARAMS = 1;
+ #endif
+ 
+-#if CRYPTOGRAPHY_IS_LIBRESSL
++#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 && !CRYPTOGRAPHY_LIBRESSL_27_OR_GREATER
++Cryptography_STACK_OF_X509_OBJECT *X509_STORE_get0_objects(X509_STORE *ctx) {
++    return ctx->objs;
++}
++X509_VERIFY_PARAM *X509_STORE_get0_param(X509_STORE *store) {
++    return store->param;
++}
++int X509_OBJECT_get_type(const X509_OBJECT *x) {
++    return x->type;
++}
++
++/* from x509/x509_vfy.c */
++X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx)
++{
++    return ctx->cert;
++}
++
++X509 *X509_OBJECT_get0_X509(X509_OBJECT *x) {
++    return x->data.x509;
++}
++#endif
++
++
++#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110
+ static const long Cryptography_HAS_X509_STORE_CTX_GET_ISSUER = 0;
+ typedef void *X509_STORE_CTX_get_issuer_fn;
+ X509_STORE_CTX_get_issuer_fn (*X509_STORE_get_get_issuer)(X509_STORE *) = NULL;

saltbundlepy-cryptography.keyring

@@ -0,0 +1,34 @@
+pub   2048R/29F9ED98 2013-09-01
+uid                  Paul Kehrer <paul.l.kehrer@gmail.com>
+sub   2048R/9714E575 2013-09-01
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2.0.22 (GNU/Linux)
+
+mQENBFIirTsBCADAeRXlWJkJ9SaKmR6+ox2aXOF3TCyfgtoJpf6WvBxbtoEpD//m
+5789KO9lPHQrJGR34E36kOkmkHfrLLtmnELCx/UNvLm3VuW31rL3RvTTrxe1Fyft
+5JQyYF/WSm6Bnj9yu8fVJUhSGe12SvODD7053bY1bSleMX5I6tGeIXJtih8b5u9u
+1WNv0rxZqGLKaYTzgmtNcyKGK9jLKtkRwPivpjgrjeGQ+OHf/mwFY+HEOQUw+Cj4
+5FsCo6jvj+n4r9mYu+Ut6zDOx0cWf66QhZvawDyB2TSSulJsudUETDmoJJ5X9PqH
+F/bHBdzc5I6HYy+CezSvDmjC+3DnIB//nXMPABEBAAG0JVBhdWwgS2VocmVyIDxw
+YXVsLmwua2VocmVyQGdtYWlsLmNvbT6JATgEEwECACIFAlIirTsCGwMGCwkIBwMC
+BhUIAgkKCwQWAgMBAh4BAheAAAoJECNa5fEp+e2YnM0H/i8bU3gQ/lMGli97Puui
+Sm5es3AwE+dC/ubaAB8Hcdm8UH50uOI6JcmLYYcjglnFEQSDzrKg649Dcvjx7hDN
+XoCx5V6dC8LcTVES5gGrRr/+ZXtsCVZn2TcLUMQ9bq1yb3jAYxOmWQ1rUvu0Kq+Z
+1j9IERKpt3MZcXBlOxHP6zIhaaerLLRn5+SjCHCAZQYsKh9f6fMoRvbmaLyKrLBn
+/n9/esn1b0joWEphwOER8UF5fckqDopovGojDXyNEKGGkXTkWtLk69AcaXcBI97X
+SqYUmzvnHcAPilpKmfdnvcGPrS/wSY/F4T71aeQ+1QoE83CfavNMQ09g4rETSr3e
+Vlq5AQ0EUiKtOwEIANRWXywm/B46dy2paG/dd1ApwdX3siIfnCKXEsLB1iTA5/HW
+BZ5+hHRYmI24RyBj9lVhS9UJzpKZE+KLOZRFwMGGp3TxntInflamuI3iC1N7XqCz
+gLMFJdHPO60LctbvOHTOx1Scb+AycmymF1HuUFbj1jlYUkwRPOiPvHHWkYQlfeUP
+MPFo/M7Ae5FxKA4PYfJRQl62wsBRNE5k7IwOmstyUUnDZXIxpB+wNvpxQpAvWT8B
+IyAvtlrkrE53frfyd0KUOR0iSHNcWcUL0L6XvsaOYb4i20bP7YE5XoVzzANbXTa1
+wVtz2yNoI7/8BLb2NMIacykUxryYtu6E9cmnwkkAEQEAAYkBHwQYAQIACQUCUiKt
+OwIbDAAKCRAjWuXxKfntmM/yB/91f/17kL4iAS05WgM1xvgmyYJ3FOgP3hyqD5Ur
+YkkmoFoF+r6bfBlW8AeOawYTvXinKdv9sM6q0EmiO+iqAuRRfaXZWCDqZdEpy+lv
+Ev3jhVyuf8O+d8VEILsKia0cmzn6F1UMdp3E9TDgXr1/hMCuABvbfWzEkRQrGHc2
+cWLXXxko3mykZMLkl0MPGjmzEh87RE55hLk5HroXaMtdyz1knfybVnXgOUxMuqc+
++wj499FP1jHvTEEknRopxsMe59+CdsoFBR9xs0Ets7K011P4CMKZZAXVwxF551QL
+xnqe0Tn1t76rxPJKpyvUM+WtakEVPffuQqSkU8dIJgwwXrZo
+=3pQn
+-----END PGP PUBLIC KEY BLOCK-----

saltbundlepy-cryptography.spec

@@ -0,0 +1,130 @@
+#
+# spec file for package saltbundlepy-cryptography
+#
+# Copyright (c) 2023 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+%{?!saltbundlepy_module:%define saltbundlepy_module() saltbundlepy-%{**}}
+%define pythons saltbundlepy
+
+# Disable python bytecompile for all distros
+# It's called explicitly in the spec
+%global __brp_python_bytecompile %{nil}
+
+%bcond_with     test
+
+Name:           saltbundlepy-cryptography
+Version:        3.3.2
+Release:        0
+Summary:        Python library which exposes cryptographic recipes and primitives
+License:        Apache-2.0 OR BSD-3-Clause
+Group:          Development/Languages/Python
+URL:            https://cryptography.io/en/latest/
+Source0:        https://files.pythonhosted.org/packages/source/c/cryptography/cryptography-%{version}.tar.gz
+Source1:        https://files.pythonhosted.org/packages/source/c/cryptography/cryptography-%{version}.tar.gz.asc
+Source2:        %{name}.keyring
+# PATCH-FIX-SLE disable-uneven-sizes-tests.patch bnc#944204
+Patch1:         disable-uneven-sizes-tests.patch
+Patch2:         skip_openssl_memleak_test.patch
+# PATCH-FIX-UPSTREAM CVE-2023-23931-dont-allow-update-into.patch bsc#1208036
+Patch3:         CVE-2023-23931-dont-allow-update-into.patch
+# PATCH-FIX-UPSTREAM CVE-2023-49083.patch bsc#1217592
+Patch4:         CVE-2023-49083.patch
+%if (0%{?sle_version} && 0%{?sle_version} < 150000) || 0%{?suse_version} == 1110 || 0%{?rhel} == 7 || 0%{?debian} == 12 || 0%{?ubuntu} == 2204
+Patch100:       fix-build-with-old-ssl.patch
+%endif
+%if 0%{?debian} == 12 || 0%{?ubuntu} == 2204 || 0%{?rhel} == 9 || 0%{?suse_version} >= 1600
+Patch101:       definitions-ERR_GET.patch
+Patch102:       fips-mode.patch
+%endif
+BuildRequires:  %{saltbundlepy_module asn1crypto >= 0.21.0}
+BuildRequires:  %{saltbundlepy_module cffi >= 1.7}
+BuildRequires:  %{saltbundlepy_module cryptography-vectors >= %{version}}
+BuildRequires:  %{saltbundlepy_module devel >= 3.10}
+BuildRequires:  %{saltbundlepy_module idna >= 2.1}
+BuildRequires:  %{saltbundlepy_module pyasn1-modules}
+BuildRequires:  %{saltbundlepy_module pytz}
+BuildRequires:  %{saltbundlepy_module setuptools >= 11.3}
+BuildRequires:  %{saltbundlepy_module six >= 1.4.1}
+BuildRequires:  fdupes
+%if 0%{?suse_version} == 1110 || 0%{?suse_version} == 1315
+BuildRequires:  saltbundle-libopenssl-devel
+%else
+BuildRequires:  libopenssl-devel
+%endif
+BuildRequires:  pkgconfig
+BuildRequires:  saltbundlepy-rpm-macros
+BuildRequires:  saltbundle-libffi-devel
+Requires:       saltbundlepy-asn1crypto >= 0.21.0
+Requires:       saltbundlepy-cffi >= 1.7
+Requires:       saltbundlepy-idna >= 2.1
+Requires:       saltbundlepy-packaging
+Requires:       saltbundlepy-pyasn1 >= 0.1.8
+Requires:       saltbundlepy-setuptools >= 11.3
+Requires:       saltbundlepy-six >= 1.4.1
+# SECTION Test requirements
+%if %{with test}
+BuildRequires:  %{python_module hypothesis >= 1.11.4}
+BuildRequires:  %{python_module iso8601}
+BuildRequires:  %{python_module packaging}
+BuildRequires:  %{python_module pretend}
+BuildRequires:  %{python_module pyasn1 >= 0.1.8}
+BuildRequires:  %{python_module pytest > 3.3.0}
+%endif
+# /SECTION
+%python_subpackages
+
+%description
+cryptography is a package designed to expose cryptographic
+recipes and primitives to Python developers.  Our goal is
+for it to be your "cryptographic standard library". It
+supports Python 2.7, Python 3.4+, and PyPy-5.3+.
+
+cryptography includes both high level recipes, and low
+level interfaces to common cryptographic algorithms such as
+symmetric ciphers, message digests and key derivation
+functions.
+
+%prep
+%setup -q -n cryptography-%{version}
+%autopatch -p1
+
+%build
+export CFLAGS="%{optflags} -fno-strict-aliasing"
+%python_build
+
+%install
+# Actually other *.c and *.h are appropriate
+# see https://github.com/pyca/cryptography/issues/1463
+find . -name .keep -print -delete
+
+%python_install
+%python_expand %fdupes %{buildroot}%{$python_sitearch}
+
+%check
+%{python_expand # Just a simple test loading the module
+export PYTHONPATH="%{buildroot}%{$python_sitearch}"
+$python -c 'from cryptography.hazmat.bindings._openssl import ffi, lib; fips_mode = getattr(lib, "FIPS_mode"); mode = fips_mode()'
+}
+%if %{with test}
+%pytest_arch
+%endif
+
+%files %{python_files}
+%license LICENSE LICENSE.APACHE LICENSE.BSD
+%doc AUTHORS.rst CONTRIBUTING.rst CHANGELOG.rst README.rst
+%{python_sitearch}/*
+
+%changelog

skip_openssl_memleak_test.patch

@@ -0,0 +1,18 @@
+Index: cryptography-3.0/tests/hazmat/backends/test_openssl_memleak.py
+===================================================================
+--- cryptography-3.0.orig/tests/hazmat/backends/test_openssl_memleak.py
++++ cryptography-3.0/tests/hazmat/backends/test_openssl_memleak.py
+@@ -153,10 +153,9 @@ def assert_no_memory_leaks(s, argv=[]):
+ 
+ 
+ def skip_if_memtesting_not_supported():
+-    return pytest.mark.skipif(
+-        not Binding().lib.Cryptography_HAS_MEM_FUNCTIONS,
+-        reason="Requires OpenSSL memory functions (>=1.1.0)",
+-    )
++    return pytest.mark.skip(
++        reason="Our FIPS openssl startup code invokes CRYPTO_malloc() which prevents later debugging via CRYPTO_set_mem_functions()"
++     )
+ 
+ 
+ @pytest.mark.skip_fips(reason="FIPS self-test sets allow_customize = 0")